[2/2] ima: limit the number of ToMToU integrity violations

Message ID	20250219162131.416719-3-zohar@linux.ibm.com (mailing list archive)
State	New
Headers	show Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D93B1FE44A for <linux-integrity@vger.kernel.org>; Wed, 19 Feb 2025 16:27:12 +0000 (UTC) From: Mimi Zohar <zohar@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: Mimi Zohar <zohar@linux.ibm.com>, roberto.sassu@huawei.com, Stefan Berger <stefanb@linux.ibm.com>, Petr Vorel <pvorel@suse.cz> Subject: [PATCH 2/2] ima: limit the number of ToMToU integrity violations Date: Wed, 19 Feb 2025 11:21:31 -0500 Message-ID: <20250219162131.416719-3-zohar@linux.ibm.com> In-Reply-To: <20250219162131.416719-1-zohar@linux.ibm.com> References: <20250219162131.416719-1-zohar@linux.ibm.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	ima: limit both open-writers and ToMToU violations \| expand [0/2] ima: limit both open-writers and ToMToU violations [1/2] ima: limit the number of open-writers integrity violations [2/2] ima: limit the number of ToMToU integrity violations

Message ID

20250219162131.416719-3-zohar@linux.ibm.com (mailing list archive)

State

New

Headers

From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, roberto.sassu@huawei.com,
        Stefan Berger <stefanb@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>
Subject: [PATCH 2/2] ima: limit the number of ToMToU integrity violations
Date: Wed, 19 Feb 2025 11:21:31 -0500
Message-ID: <20250219162131.416719-3-zohar@linux.ibm.com>
In-Reply-To: <20250219162131.416719-1-zohar@linux.ibm.com>
References: <20250219162131.416719-1-zohar@linux.ibm.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

ima: limit both open-writers and ToMToU violations | expand

Commit Message

Mimi Zohar Feb. 19, 2025, 4:21 p.m. UTC

Each time a file in policy, that is already opened for read, is opened
for write a Time-of-Measure-Time-of-Use (ToMToU) integrity violation
audit message is emitted and a violation record is added to the IMA
measurement list, even if a ToMToU violation has already been recorded.

Limit the number of ToMToU integrity violations for an existing file
open for read.

Note: The IMA_MUST_MEASURE atomic flag must be set from the reader side
based on policy.  This may result in a per open reader additional ToMToU
violation.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/ima_main.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Stefan Berger Feb. 20, 2025, 3:24 p.m. UTC | #1

On 2/19/25 11:21 AM, Mimi Zohar wrote:
> Each time a file in policy, that is already opened for read, is opened
> for write a Time-of-Measure-Time-of-Use (ToMToU) integrity violation
> audit message is emitted and a violation record is added to the IMA
> measurement list, even if a ToMToU violation has already been recorded.
> 
> Limit the number of ToMToU integrity violations for an existing file
> open for read.
> 
> Note: The IMA_MUST_MEASURE atomic flag must be set from the reader side
> based on policy.  This may result in a per open reader additional ToMToU
> violation.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   security/integrity/ima/ima_main.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index cde3ae55d654..f1671799a11b 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -129,9 +129,10 @@ static void ima_rdwr_violation_check(struct file *file,
>   		if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
>   			if (!iint)
>   				iint = ima_iint_find(inode);
> +
>   			/* IMA_MEASURE is set from reader side */
> -			if (iint && test_bit(IMA_MUST_MEASURE,
> -						&iint->atomic_flags))
> +			if (iint && test_and_clear_bit(IMA_MUST_MEASURE,
> +						       &iint->atomic_flags))
>   				send_tomtou = true;
>   		}
>   	} else {

Petr Vorel Feb. 20, 2025, 6:27 p.m. UTC | #2

Hi Mimi,

LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

Petr Vorel Feb. 21, 2025, 8:18 a.m. UTC | #3

Hi Mimi,

Tested-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index cde3ae55d654..f1671799a11b 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -129,9 +129,10 @@  static void ima_rdwr_violation_check(struct file *file,
 		if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
 			if (!iint)
 				iint = ima_iint_find(inode);
+
 			/* IMA_MEASURE is set from reader side */
-			if (iint && test_bit(IMA_MUST_MEASURE,
-						&iint->atomic_flags))
+			if (iint && test_and_clear_bit(IMA_MUST_MEASURE,
+						       &iint->atomic_flags))
 				send_tomtou = true;
 		}
 	} else {

[2/2] ima: limit the number of ToMToU integrity violations

Commit Message

Comments

Patch